Latest Facebook Attack Stems from Previous One

The latest Koobface virus attack on Facebook grabbing headlines this week, was actually spawned by an earlier attack back in October, according to a
security expert.

"This is the result of the virus seeding users' computers the last time they hit Facebook," Guillaume Lovet, senior manager of threat research at antivirus software vendor Fortinet told InternetNews.com.

That malware remained on the users' computers and is now striking again, Lovet said. "It's very difficult for Facebook to deal with this problem because the malware is on the users' computers," he added.

The malware could impact businesses that have tie-ins with Facebook, Dave Marcus, security research and communications director for McAfee (NYSE: MFE) Avert Labs, told InternetNews.com.

Fortinet had discovered the previous attack, where malware unknowingly downloaded by users sat in their computers and sent out messages to their Facebook friends urging them to click on videos uploaded to either Google's
(NASDAQ: GOOG) Picasa photo-sharing site or to a shared video in the Google Reader RSS feed aggregation site.

"The reason this issue has cropped up again is that the worm has changed," Facebook spokesperson Barry Schnitt told InternetNews.com by e-mail. "We're working to stay ahead of it and limit further exposure."

Schnitt said a very small percentage of Facebook's users have been affected and the social networking site is updating its security systems to minimize further impact. This includes resetting passwords on infected accounts, removing the spam messages, which urge users' friends to click on a link that takes them to an infected Website, and coordinating with third parties to remove redirects to malicious content from sites elsewhere on the Web.

You better watch out

Getting rid of the virus will be difficult. Both Fortinet's Lovet and McAfee's Marcus said it is a server side polymorphic virus, which means it tweaks itself automatically every five minutes or so. This makes it hard to combat because it offers a new signature every time it changes and antivirus packages can only work against malware whose signature they recognize.

"It works like a mass mailer e-mail worm in some ways, infecting the machine and using the user's friends list to automatically send out infected copies," Marcus said. "Some of my own friends have been hit by Koobface."

The attacks could impact enterprises' efforts to leverage social networking. "As businesses start leveraging social networking sites, they need to factor in access control for those sites into their security," McAfee's Marcus said.

One of Facebook's most prominent partners is Salesforce.com (NYSE: CRM), which announced Force.com for Facebook at Dreamforce 2008, its annual user conference, last month. Salesforce declined comment on this issue.

"Businesses who look at Facebook for the power of the communications tool really need to look at the malware today and make their malware countermeasures a part of what they're going to do with Facebook," Marcus said.

Enterprises should be especially careful of the recently announced Facebook Connect technology, which lets the social networking site's users port their account information to other Websites and applications, Marcus said.